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AUTHENTICATED CODE METHOD AND 
APPARATUS 

RELATED APPLICATIONS 

5 [0001] This application is related to Application Serial Number 

/ , entitled "Processor Supporting Execution Of An Authenticated 

Code Instruction"; and Application Serial Number / , entitled 

"Authenticated Code Module" both filed on the same date as the present 
application. 

10 BACKGROUND 

[0002] Computing devices execute firmware and/or software code to 
perform various operations. The code may be in the form of user applications^ 
BIOS routines, operating system routines, etc. Some operating systems provide 
limited protections for maintaining the integrity of the computing device against 

15 rogue code. For example, an administrator may limit users or groups of users to 
executing certain pre-approved code. Further, an administrator may configure a 
sandbox or an isolated environment in which untrusted code may be executed 
until the administrator deems the code trustworthy. While the above techniques 
provide some protection, they generally require an administrator to manually 

20 make a trust determination based upon the provider of the code, historic 
performance of the code, and/or review of the source code itself. 
[0003] Other mechanisms have also been introduced to provide automated 
mechanisms for making a trust decision. For example, an entity (e.g. software 
manufacturer) may provide the code with a certificate such as a X.509 certificate 
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that digitally signs the code and attests to the integrity of the code. An 
administrator may configure an operating system to automatically allow users to 
execute code that provides a certificate from a trusted entity without the 
administrator specifically analyzing the code in question. While the above 
5 technique may be sufficient for some environments, the above technique 
inherently trusts the operating system or other software executing under the 
control of the operating system to correctly process the certificate. 
[0004] Certain operations, however, may not be able to trust the operating 
system to make such a determination. For example, the code to be executed 

10 may result in the computing device determining whether the operating system is 
to be trusted. Relying on the operating system to authenticate such code would 
thwart the purpose of the code. Further, the code to be executed may comprise 
system initialization code that is executed prior to the operating system of the 
computing device. Such code therefore cannot be authenticated by the operating 

15 system. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0005] The invention described herein is illustrated by way of example and 
not by way of limitation in the accompanying figures. For simplicity and clarity of 
illustration, elements illustrated in the figures are not necessarily drawn to scale. 
20 For example, the dimensions of some elements may be exaggerated relative to 
other elements for clarity. Further, where considered appropriate, reference 
numerals have been repeated among the figures to indicate corresponding or 
analogous elements. 
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[0006] FIGS. 1A-1E illustrate example embodiments of a computing device 
having private memory. 

[0007] FIG. 2 illustrates an example authenticated code (AC) module that 
may launched by the computing device shown in FIGS. 1A-1E. 
5 [0008] FIG. 3 illustrates an example embodiment of the processor of the 
computing device shown in FIGS. 1A-1E. 

[0009] FIG. 4 illustrates an example method of launching the AC module 
shown in FIG. 2. 

[0010] FIG. 5 illustrates an example method of terminating execution of the 
10 AC module shown in FIG, 2. 

[001 1] FIG. 6 illustrates another embodiment of the computing device 
shown in FIGS. 1A-1E. 

[0012] FIGS. 7A-7B illustrate example methods of launching and 
terminating execution of the AC module shown in FIG. 2. 
15 [0013] FIG. 8 illustrates a system for simulating, emulating, and/or testing 
the processors of the computing devices shown in FIGS. 1A-1E. 

DETAILED DESCRIPTION 

[0014] The following description describes techniques for launching and 
terminating execution of authenticated code (AC) modules that may be used for 
20 various operations such as establishing and/or maintaining a trusted computing 
environment. In the following description, numerous specific details such as logic 
implementations, opcodes, means to specify operands, resource 
partitioning/sharing/duplication implementations, types and interrelationships of 

3 
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system components, and logic partitioning/integration choices are set forth in 
order to provide a more thorough understanding of the present invention. It will 
be appreciated, however, by one skilled in the art that the invention may be 
practiced without such specific details. In other instances, control structures, gate 
5 level circuits and full software instruction sequences have not been shown in 
detail in order not to obscure the invention. Those of ordinary skill in the art, with 
the included descriptions, will be able to implement appropriate functionality 
without undue experimentation. 

[0015] References in the specification to "one embodiment", "an 
10 embodiment", "an example embodiment", etc., indicate that the embodiment 
described may include a particular feature, structure, or characteristic, but every 
embodiment may not necessarily include the particular feature, structure, or 
characteristic. Moreover, such phrases are not necessarily referring to the same 
embodiment. Further, when a particular feature, structure, or characteristic is 
1 5 described in connection with an embodiment, it is submitted that it is within the 
knowledge of one skilled in the art to effect such feature, structure, or 
characteristic in connection with other embodiments whether or not explicitly 
described. 

[0016] In the following description and claims, the terms "coupled" and 
20 "connected," along with their derivatives, may be used. It should be understood 
that these terms are not intended as synonyms for each other. Rather, in 
particular embodiments, "connected" 1 may be used to indicate that two or more 
e | emen t s are in direct physical or electrical contact with each other. "Coupled" 
may mean that two or more elements are in direct physical or electrical contact. 

4 
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However, "coupled" may also mean that two or more elements are not in direct 
contact with each other, but yet still co-operate or interact with each other. 
[0017] Example embodiments of a computing device 1 00 are shown in FIG, 
1A-1E. The computing device 100 may comprise one or more processors 110 

5 coupled to a chipset 120 via a processor bus 130. The chipset 120 may comprise 
one or more integrated circuit packages or chips that couple the processors 110 
to system memory 140, a physical token 150, private memory 160, a media 
interface 170, and/or other I/O devices of the computing device 100. 
[0018] Each processor 110 may be implemented as a single integrated 

10 circuit, multiple integrated circuits, or hardware with software routines (e.g., binary 
translation routines). Further, the processors 110 may comprise cache memories 
1 12 and control registers 1 14 via which the cache memories 1 12 may be 
configured to operate in a normal cache mode or in a cache-as-RAM mode. In 
the normal cache mode, the cache memories 112 satisfy memory requests in 

15 response to cache hits, replace cache lines in response to cache misses, and 
may invalidate or replace cache lines in response to snoop requests of the 
processor bus 1 30. In the cache-as-RAM mode, the cache memories 112 
operate as random access memory in which requests within the memory range of 
the cache memories 112 are satisfied by the cache memories and lines of the 

20** cache are not replaced or invalidated in response to snoop requests of the 
processor bus 1 30. 

[001 9] The processors 1 1 0 may further comprise a key 1 1 6 such as, for 
example, a key of a symmetric cryptographic algorithm (e.g. the well known DES, 
3DES, and AES algorithms) or of an asymmetric cryptographic algorithm (e.g. the 

5 
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well-known RSA algorithm). The processor 110 may use the key 116 to authentic 
an AC module 190 prior to executing the AC module 190. 
[0020] The processors 110 may support one or more operating modes 
such as, for example, a real mode, a protected mode, a virtual real mode, and a 
5 virtual machine mode (VMX mode). Further, the processors 110 may support one 
or more privilege levels or rings in each of the supported operating modes. In 
general, the operating modes and privilege levels of a processor 110 define the 
instructions available for execution and the effect of executing such instructions. 
More specifically, a processor 110 may be permitted to execute certain privileged 
10 instructions only if the processor 1 10 is in an appropriate mode and/or privilege 
level. 

[0021] The processors 1 1 0 may also support locking of the processor bus 
130. As a result of locking the processor bus 130, a processor 1 10 obtains 
exclusive ownership of the processor bus 130. The other processors 110 and the 

15 chipset 120 may not obtain ownership of the processor bus 130 until the 

processor bus 130 is released. In an example embodiment, a processor 110 may 
issue a special transaction on the processor bus 130 that provides the other 
processors 110 and the chipset 120 with a LTPROCESSOR.HOLD message. 
The LT.PROCESSOR.HOLD bus message prevents the other processors 110 

20 and theachipset 120 from acquiring ownership of the processor bus 130 until the 
processor 110 releases the processor bus 130 via a LT.PROCESSOR.RELEASE 
bus message. 

[0022] The processors 110 may however support alternative and/or 
additional methods of locking the processor bus 130. For example, a processor 
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110 may inform the other processors 110 and/or the chipset 120 of the lock 
condition by issuing an Inter-Processor Interrupt, asserting a processor bus lock 
signal, asserting a processor bus request signal, and/or causing the other 
processors 1 10 to halt execution. Similarly, the processor 110 may release the 
5 processor bus 130 by issuing an Inter-Processor Interrupt, deasserting a 
processor bus lock signal, deasserting a processor bus request signal, and/or 
causing the other processors 110 to resume execution. 

[0023] The processors 110 may further support launching AC modules 190 
and terminating execution of AC modules 190. In an example embodiment, the 

1 0 processors 1 1 0 support execution of an ENTERAC instruction that loads, 

authenticates, and initiates execution of an AC module 190 from private memory 
160. However, the processors 110 may support additional or different instructions 
that cause the processors 110 to load, authenticate, and/or initiate execution of 
an AC module 190. These other instructions may be variants for launching AC 

15 modules 190 or may be concerned with other operations that launch AC modules 
190 to help accomplish a larger task. Unless denoted otherwise, the ENTERAC 
instruction and these other instructions are referred to hereafter as launch AC 
instructions despite the fact that some of these instructions may load, 
authenticate, and launch an AC module 190 as a side effect of another operation 

20 such as, for example establishing a trusted computing environment. 

[0024] In an example embodiment, the processors 110 further support 
execution of an EXITAC instruction that terminates execution of an AC module 
190 and initiates post-AC code (See, FIG. 6). However, the processors 1 10 may 
support additional or different instructions that result in the processors 110 
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terminating an AC module 190 and launching post-AC code. These other 
instructions may be variants of the EXITAC instruction for terminating AC 
modules 190 or may be instructions concerned primarily with other operations that 
result in AC modules 190 being terminated as part of a larger operation. Unless 
5 denoted otherwise, the EXITAC instruction and these other instructions are 
referred to hereafter as terminate AC instructions despite the fact that some of 
these instructions may terminate AC modules 1 90 and launch post-AC code as a 
side effect of another operation such as, for example, tearing down a trusted 
computing environment. 
10 [0025] The chipset 120 may comprise a memory controller 122 for 

controlling access to the memory 140. Further, the chipset 120 may comprise a 
key 124 that the processor 110 may use to authentic an AC module 190 prior to 
execution. Similar to the key 116 of the processor 110, the key 124 may 
comprise a key of a symmetric or asymmetric cryptographic algorithm. 
15 [0026] The chipset 120 may also comprise trusted platform registers 126 to 
control and provide status information about trusted platform features of the 
chipset 120. In an example embodiment, the chipset 120 maps the trusted 
platform registers 126 to a private space 142 and/or a public space 144 of the 
memory 140 to enable the processors 1 10 to access the trusted platform registers 
20 126 in a consistent manner. 

[0027] For example, the chipset 120 may map a subset of the registers 126 
as read only locations in the public space 144 and may map the registers 126 as 
read/write locations in the private space 142. The chipset 120 may configure the 
private space 142 in a manner that enables only processors 1 10 in the most 
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privileged mode to access its mapped registers 126 with privileged read and write 
transactions. Further, the chipset 120 may further configure the public space 144 
in a manner that enables processors 1 10 in all privilege modes to access its 
mapped registers 126 with normal read and write transactions. The chipset 120 
5 may also open the private space 142 in response to an OpenPrivate command 
being written to a command register 126. As a result of opening the private space 
142, the processors 110 may access the private space 142 in the same manner 
as the public space 144 with normal unprivileged read and write transactions. 
[0028] The physical token 150 of the computing device 100 comprises 
10 protected storage for recording integrity metrics and storing secrets such as, for 
example, encryption keys. The physical token 150 may perform various integrity 
functions in response to requests from the processors 110 and the chipset 120. 
In particular, the physical token 150 may store integrity metrics in a trusted 
manner, may quote integrity metrics in a trusted manner, may seal secrets such 
15 as encryption keys to a particular environment, and may only unseal secrets to 
the environment to which they were sealed. Hereinafter, the term "platform key" 
is used to refer to a key that is sealed to a particular hardware and/or software 
environment. The physical token 150 may be implemented in a number of 
different manners. However, in an example embodiment, the physical token 150 
20 is implemented to comply with the specification of the Trusted Platform Module 
(TPM) described in detail in the Trusted Computing Platform Alliance (TCPA) 
Main Specification, Version 1.1, 31 July 2001. 

[0029] The private memory 160 may store an AC module 1 90 in a manner 
that allows the processor or processors 110 that are to execute the AC module 
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190 to access the AC module 190 and that prevents other processors 110 and 
components of the computing device 100 from altering the AC module 190 or 
interfering with the execution of the AC module 190, As shown in FIG. 1A, the 
private memory 160 may be implemented with the cache memory 1 12 of the 
5 processor 110 that is executing the launch AC instruction. Alternatively, the 
private memory 160 may be implemented as a memory area internal to the 
processor 1 10 that is separate from its cache memory 1 12 as shown in FIG. 1 B. 
The private memory 160 may also be implemented as a separate external 
memory coupled to the processors 110 via a separate dedicated bus as shown in 
1 0 FIG. 1 C, thus enabling only the processors 1 1 0 having associated external 
memories to validly execute launch AC instructions. 

[0030] The private memory 160 may also be implemented via the system 
memory 140. in such an embodiment, the chipset 120 and/or processors 110 
may define certain regions of the memory 140 as private memory 160 (see FIG. 

15 1 D) that may be restricted to a specific processor 1 10 and that may only be 
accessed by the specific processor 1 10 when in a particular operating mode. 
One disadvantage of this implementation is that the processor 110 relies on the 
memory controller 122 of the chipset 120 to access the private memory 160 and 
the AC module 190. Accordingly, an AC module 190 may not be able to 

20 reconfigure the memory controller 1 22 without denyin§*the processor 1 1 0 access 
to the AC module 190 and thus causing the processor 110 to abort execution of 
the AC module 190. 

[0031] The private memory 160 may also be implemented as a separate 
memory coupled to a separate private memory controller 128 of the chipset 120 
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as shown in FIG. 1E. In such an embodiment, the private memory controller 128 
may provide a separate interface to the private memory 160. As a result of a 
separate private memory controller 128, the processor 110 may be able to 
reconfigure the memory controller 122 for the system memory 140 in a manner 
5 that ensures that the processor 1 10 will be able to access the private memory 1 60 
and the AC module 190. In general, the separate private memory controller 128 
overcomes some disadvantages of the embodiment shown in FIG. 1D at the 
expense of an additional memory and memory controller. 
[0032] The AC module 190 may be provided in any of a variety of machine 

10 readable mediums 180. The media interface 170 provides an interface to a 

— machine readable medium 180 and AC module 190. The machine readable 
medium 180 may comprise any medium that can store, at least temporarily, 
information for reading by the machine interface 170. This may include signal 
transmissions (via wire, optics, or air as the medium) and/or physical storage 

15 media such as various types of disk and memory storage devices. 

[0033] Referring now to FIG. 2, an example embodiment of the AC module 
190 is shown in more detail. The AC module 190 may comprise code 210 and 
data 220. The code 210 comprises one or more code pages 212 and the data 
220 comprises one or more data pages 222; Each code page 212 and data page 

20 222 in an example embodiment corresponds to a 4 kilobyte contiguous memory 
region; however, the code 210 and data 220 may be implemented with different 
page sizes or in a non-paging manner. The code pages 212 comprise processor 
instructions to be executed by one or more processors 110 and the data pages 
222 comprise data to be accessed by one or more processors 110 and/or scratch 
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pad for storing data generated by one or more processors 1 10 in response to 
executing instructions of the code pages 212. 

[0034] The AC module 190 may further comprise one or more headers 230 
that may be part of the code 21 0 or the data 220. The headers 230 may provide 
5 information about the AC module 190 such as, for example, module author, 

copyright notice, module version, module execution point location, module length, 
authentication method, etc. The AC module 190 may further comprise a 
signature 240 which may be a part of the code 210, data 220, and/or headers 
230. The signature 240 may provide information about the AC module 190, 
10 authentication entity, authentication message, authentication method, and/or 
digest tolue. 

[0035] The AC module 190 may also comprise an end of module marker 
250. The end of module marker 250 specifies the end of the AC module 190 and 
may be used as an alternative to specifying the length of the AC module 190. For 

15 example, the code pages 212 and data pages 222 may be specified in a 
contiguous manner and the end of module marker 250 may comprise a 
predefined bit pattern that signals the end of the code pages 212 and data pages 
222. It should be appreciated that the AC module 190 may specify its length 
and/or end in a number of different manners. For example, the header 230 may 

20 specify the number of bytes or the number of pages the AC module 190 contatas. 
Alternatively, launch AC and terminate AC instructions may expect the AC module 
190 be a predefined number of bytes in length or contain a predefined number of 
pages. Further, launch AC and terminate AC instructions may comprise 
operands that specify the length of the AC module 190. 

12 
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[0036] It should be appreciated that the AC module 190 may reside in a 
contiguous region of the memory 140 that is contiguous in the physical memory 
space or that is contiguous in virtual memory space. Whether physically or 
virtually contiguous, the locations of the memory 140 that store the AC module 
5 190 may be specified by a starting location and a length and/or end of module 
marker 250 may specify. Alternatively, the AC module 190 may be stored in 
memory 140 in neither a physically or a virtually contiguous manner. For 
example, the AC module 190 may be stored in a data structure such as, for 
example, a linked list that permits the computing device 100 to store and retrieve 
10 the AC module 190 from the memory 140 in a non-contiguous manner. 

[0037] As will-be discussed in more detail below, the example processors 
110 support launch AC instructions that load the AC module 190 into private 
memory 160 and initiate execution of the AC module 190 from an execution point 
260. An AC module 190 to be launched by such a launch AC instruction may 
15 comprise code 210 which when loaded into the private memory 160 places the 
execution point 260 at a location specified one or more operands of a launch AC 
instruction. Alternatively, a launch AC instruction may result in the processor 110 
obtaining the location of the execution point 260 from the AC module 190 itself. 
For example, the code 210, data 220, a header 230, and/or signature 240 may 
20 comprise one or more fields that specify the location of the execution point 260. 
[0038] As will be discussed in more detail below, the example processors 
110 support launch AC instructions that authenticated the AC module 1 90 prior to 
execution. Accordingly, the AC module 190 may comprise information to support 
authenticity determinations by the processors 1 1 0. For example, the signature 
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240 may comprise a digest value 242. The digest value 242 may be generated 
by passing the AC module 190 through a hashing algorithm (e.g. SHA-1 or MD5) 
or some other algorithm. The signature 240 may also be encrypted to prevent 
alteration of the digest value 242 via an encryption algorithm (e.g. DES. 3DES, 

5 AES, and/or RSA algorithms). In example embodiment, the signature 240 is 
RSA-encrypted with the private key that corresponds to a public key of the 
processor key 1 1 6, the chipset key 1 20, and/or platform key 1 52. 
[0039] It should be appreciated that the AC module 1 90 may be 
authenticated via other mechanisms. For example, the AC module 190 may 

10 utilize different hashing algorithms or different encryption algorithms. Further, the 
AC module 190 may comprise information in the code 210, data 220, headers 
230, and/or signature 240 that indicate which algorithms were used. The AC 
- module 190 may also be protected by encrypting the whole AC module 190 for 
decryption via a symmetric or asymmetric key of the processor key 116, chipset 

15 key 124, or platform key 152. 

[0040] An example embodiment of the processor 1 1 0 is illustrated in more 
detail in FIG. 3. As depicted, the processor 1 10 may comprise a front end 302, a 
register file 306, one or more execution units 370, and a retirement unit or back 
end 380. The front end 302 comprises a processor bus interface 304, a fetching 

20 unit 330 having instruction and instruction pointer registers 314, 316, a decoder 
340, an instruction queue 350, and one or more cache memories 360. The 
register file 306 comprises general purpose registers 312, status/control registers 
318, and other registers 320. The fetching unit 330 fetches the instructions 
specified by the instruction pointer registers 316 from the memory 140 via the 

14 
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processor bus interface 304 or the cache memories 360 and stores the fetched 
instructions in the instruction registers 314. 

[0041] An instruction register 314 may contain more than one instruction. 
According, the decoder 340 identifies the instructions in the instruction registers 

5 314 and places the identified instructions in the instruction queue 350 in a form 
suitable for execution. For example, the decoder 340 may generate and store 
one or more micro-operations (uops) for each identified instruction in the 
instruction queue 350. Alternatively, the decoder 340 may generate and store a 
single macro-operation (Mop) for each identified instruction in the instruction 

1 0 queue 350. Unless indicated otherwise the term ops is used hereafter to refer to 
both uops and Mops. 

[0042] The processor 1 1 0 further comprises one or more execution units 
370 that perform the operations dictated by the ops of the instruction queue 350. 
For example, the execution units 370 may comprise hashing units, decryption 

15 units, and/or microcode units that implement authentication operations that may 
be used to authenticate the AC module 190. The execution units 370 may 
perform in-order execution of the ops stored in the instruction queue 350. 
However, in an example embodiment, the processor 110 supports out-of-order 
execution of ops by the execution units 370. In such an embodiment, the 

20 processor 1 1 0 may further comprise a retirement unit 380 that removes ops from 
the instruction queue 350 in-order and commits the results of executing the ops to 
one or more registers 312, 314, 316, 318, 320 to insure proper in-order results. 
[0043] The decoder 340 may generate one or more ops for an identified 
launch AC instruction and the execution units 370 may load, authenticate, and/or 

15 
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initiate execution of an AC module 190 in response to executing the associated 
ops. Further, the decoder 340 may generate one or more ops for an identified 
terminate AC instruction and the execution units 370 may terminate execution of 
an AC module 190, adjust security aspects of the computing device 100, and/or 
5 initiate execution of post-AC code in response to executing the associated ops. 
[0044] In particular, the decoder 340 may generate one or more ops that 
depend on the launch AC instruction and the zero or more operands associated 
with the launch AC instruction. Each launch AC instruction and its associated 
operands specify parameters for launching the AC module 190. For example, the 

10 launch AC instruction and/or operands may specify parameters about the AC 
module 190 such as AC module location, AC module-tength, and/or AC module 
execution point. The launch AC instruction and/or operands may also specify 
parameters about the private memory 160 such as, for example, private memory 
location, private memory length, and/or private memory implementation. The 

15 launch AC instruction and/or operands may further specify parameters for 
authenticating the AC module 190 such as specifying which authentication 
algorithms, hashing algorithms, decryption algorithms, and/or other algorithms are 
to be used. The launch AC instruction and/or operands may further specify 
parameters for the algorithms such as, for example, key length, key location, 

20 and/or keys. The launch AC instruction and/or operands may further specify 

parameters to configure the computer system 100 for AC module launch such as, 
for example, specifying events to be masked/unmasked and/or security 
capabilities to be updated. 
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[0045] The launch AC instructions and/or operands may provide fewer, 
additional, and/or different parameters than those described above. Furthermore, 
the launch AC instructions may comprise zero or more explicit operands and/or 
implicit operands. For example, the launch AC instruction may have operand 

5 values implicitly specified by processor registers and/or memory locations despite 
the launch AC instruction itself not comprising fields that define the location of 
these operands. Furthermore, the launch AC instruction may explicitly specify the 
operands via various techniques such as, for example, immediate data, register 
identification, absolute addresses, and/or relative addresses. 

1 0 [0046] The decoder 340 may also generate one or more ops that depend 
on the terminate AC instructions and the zero or more operands associated with 
the terminate AC instructions. Each terminate-AC instruction and its associated 
operands specify parameters for terminating execution of the AC module 190. 
For example, the terminate AC instruction and/or operands may specify 

15 parameters about the AC module 190 such as AC module location and/or AC 
module length. The terminate AC instruction and/or operands may also specify 
parameters about the private memory 160 such as, for example, private memory 
location, private memory length, and/or private implementation. The terminate 
AC instruction and/or operands may specify parameters about launching post-AC 

20 code such as, for example, launching method and/or post-AC code execution 
point. The terminate AC instruction and/or operands may further specify 
parameters to configure the computer system 100 for post-AC code execution 
such as, for example, specifying events to be masked/unmasked and/or security 
capabilities to be updated. 
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[0047] 



The terminate AC instructions and/or operands may provide fewer, 



additional, and/or different parameters than those described above. Furthermore, 
the terminate AC instructions may comprise zero or more explicit operands and/or 
implicit operands in a manner as described above in regard to the launch AC 
5 instructions. 



launching an AC module 190. In particular, the method 400 illustrates the 
operations of a processor 110 in response to executing an example ENTERAC 
instruction having an authenticate operand, a module operand, and a length 
10 operand. However, one skilled in the art should be able implement other launch 
AC instructions having fewer, additional, and/or different operands without undue 
experimentation. 



environment is appropriate to start execution of an AC module 190. For example, 
15 the processor 110 may verify that its current privilege level, operating mode, 
and/or addressing mode are appropriate. Further, if the processor supports 
multiple hardware threads, the processor may verify that all other threads have 
halted. The processor 110 may further verify that the chipset 120 meets certain 
requirements. In an example embodiment of the ENTERAC instruction, the 
20 processor 1 10 determines that the environment is appropriate in response to 
determining that the processor 1 10 is in a protected flat mode of operation, that 
the processor's current privilege level is 0, that the processor 1 10 has halted all 
other threads of execution, and that the chipset 120 provides trusted platform 
capabilities as indicated by one or more registers 126. Other embodiments of 



[0048] 



Referring now to FIG. 4, there is depicted a method 400 of 



[0049] 



In block 404, the processor 110 determines whether the 
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launch AC instructions may define appropriate environments differently. Other 
launch AC instructions and/or associated operands may specify environment 
requirements that result in the processor 110 verifying fewer, additional, and/or 
different parameters of its environment. 

5 [0050] In response to determining that the environment is inappropriate for 
launching an AC module 190, the processor 110 may terminate the ENTERAC 
instruction with an appropriate error code (block 408). Alternatively, the processor 
1 10 may further trap to some more trusted software layer to permit emulation of 
the ENTERAC instruction. 

10 [0051] Otherwise, the processor 110 in block 414 may update event 

processing to support launching the AC module 190. In an example embodiment 
of the ENTERAC instruction, the processor 110 m3sks processing of the INTR, 
NMI, SMI, INIT, and A20M events. Other launch AC instructions and/or 
associated operands may specify masking fewer, additional, and/or different 

15 events. Further, other launch AC instructions and/or associated operands may 
explicitly specify the events to be masked and the events to be unmasked. 
Alternatively, other embodiments may avoid masking events by causing the 
computing device 100 to execute trusted code such as, for example, event 
handlers of the AC module 190 in response to such events. 

20 [0052] The processor 110 in block 416 may lock the processor bus 130 to 
prevent the other processors 1 10 and the chipset 120 from acquiring ownership of 
the processor bus 130 during the launch and execution of the AC module 190. In 
an example embodiment of the ENTERAC instruction, the processor 110 obtains 
exclusive ownership of the processor bus 130 by generating a special transaction 
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that provides the other processors 1 10 and the chipset 120 with a 
LT.PROCESSOR.HOLD bus message. Other embodiments of launch AC 
instructions and/or associated operands may specify that the processor bus 130 
is to remain unlocked or may specify a different manner to lock the processor bus 
5 130, 

[0053] The processor 1 10 in block 420 may configure its private memory 
160 for receiving the AC module 190. The processor 110 may clear the contents 
of the private memory 160 and may configure control structures associated with 
the private memory 160 to enable the processor 1 10 to access the private 
10 memory 160. In an example embodiment of the ENTERAC instruction, the 

processor 1 10 updates one or more control registers to switch the cache memory 
1 12 to the cache-as-RAM mode and invalidates the contents of its cache memory 
112, 

[0054] Other launch AC instructions and/or associated operands may 
15 specify private memory parameters for different implementations of the private 
memory 160. (See, for example, FIGS. 1A-1E). Accordingly, the processor 110 
in executing these other launch AC instructions may perform different operations 
in order to prepare the private memory 160 for the AC module 190. For example, 
the processor 110 may enable/configure a memory controller (e.g. PM controller 
20 128 of FIG. 1E) associated with the private memory 160. The processor 110 may 
also provide the private memory 160 with a clear, reset, and/or invalidate signal to 
clear the private memory 160. Alternatively, the processor 110 may write zeros or 
some other bit pattern to the private memory 160, remove power from the private 
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memory 160, and/or utilize some other mechanism to clear the private memory 
160 as specified by the launch AC instruction and/or operands. 
[0055] In block 424, the processor 110 loads the AC module 190 into its 
private memory 160. In an example embodiment of the ENTERAC instruction, 

5 the processor 1 1 0 starts reading from a location of the memory 1 40 specified by 
the address operand until a number of bytes specified by the length operand are 
transferred to its cache memory 1 1 2. Other embodiments of launch AC 
instructions and/or associated operands may specify parameters for loading the 
AC module 190 into the private memory 160 in a different manner. For example, 

1 0 the other launch AC instructions and/or associated operands may specify the 
location of the AC module 190, the location of the private memory 160, where the 
AC module 190 is to be loaded in the private memory 160, and/or the end of the 
AC module 1 90 in numerous different manners. 

[0056] In block 428, the processor 1 1 0 may further lock the private memory 
15 160. In an example embodiment of the ENTERAC instruction, the processor 110 
updates one or more control registers to lock its cache memory 112 to prevent 
external events such as snoop requests from processors or I/O devices from 
altering the stored lines of the AC module 190. However, other launch AC 
instructions and/or associated operands may specify other operations for the 
20 processor 110. For example, the processor 1 1 0 may configure a memory 

controller {e.g. PM controller 128 of FIG. 1E) associated with the private memory 
160 to prevent the other processors 110 and/or chipset 120 from accessing the 
private memory 160. In some embodiments, the private memory 160 may 
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already be sufficiently locked, thus the processor 1 10 may take no action in block 
428. 

[0057] The processor in block 432 determines whether the AC module 1 90 
stored in its private memory 160 is authentic based upon a protection mechanism 

5 specified by the protection operand of the ENTERAC instruction. In an example 
embodiment of the ENTERAC instruction, the processor 110 retrieves a 
processor key 116, chipset key 124, and/or platform key 152 specified by the 
protection operand. The processor 1 10 then RSA-decrypts the signature 240 of 
the AC module 190 using the retrieved key to obtain the digest value 242. The 

10 processor 1 10 further hashes the AC module 190 using a SHA-1 hash to obtain a 
computed.digest value. The processor 1 1 0 then determines that the AC module 
190 is authentic in response to the computed digest value and the digest value 
242 having an expected relationship (e.g. equal to one another). Otherwise, the 
processor 110 determines that the AC module 190 is not authenticate. 

1 5 [0058] Other launch AC instructions and/or associated operands may 
specify different authentication parameters. For example, the other launch AC 
instructions and/or associated operands may specify a different authentication 
method, different decryption algorithms, and/or different hashing algorithms. The 
other launch AC instructions and/or associated operands may further specify 

20 "different key lengths, different key locations, and/or keys for authenticating the AC 
module 190. 

[0059] In response to determining that the AC module 1 90 is not authentic, 
the processor 110 in block 436 generates an error code and terminates execution 
of the launch AC instruction. Otherwise, the processor 110 in block 440 may 
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update security aspects of the computing device 100 to support execution of the 
AC module 190. In an example embodiment of the ENTERAC instruction, the 
processor 1 1 0 in block 440 writes a OpenPrivate command to a command 
register 126 of the chipset 120 to enable the processor 1 10 to access registers 
5 1 26 via the private space 142 with normal unprivileged read and write 
transactions. 

[0060] Other launch AC instructions and/or associated operands may 
specify other operations to configure the computing device 100 for AC module 
execution. For example, a launch AC instruction and/or associated operands 

10 may specify that the processor 1 1 0 leave the private space 1 42 in its current 
state. A launch AC instruction and/or associated operands may also specify that 
the processor 1 1 0 enable and/or disable access to certain computing resources 
such as protected memory regions, protected storage devices, protected 
partitions of storage devices, protected files of storage devices, etc. 

15 [0061J After updating security aspects of the computing device 100, the 
processor 1 10 in block 444 may initiate execution of the AC module 190. In an 
example embodiment of the ENTERAC instruction, the processor 110 loads its 
instruction pointer register 316 with the physical address provided by the module 
operand resulting in the processor 1 1 0 jumping to and executing the AC module 

20 1 90 from th£ execution point 260 specified by the physical address. Other launch 
AC instructions and/or associated operands may specify the location of the 
execution point 260 in a number of alternative manners. For example, a launch 
AC instruction and/or associated operands may result in the processor 110 
obtaining the location of the execution point 260 from the AC module 1 90 itself. 
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[0062] Referring now to FIG. 5, there is depicted a method 500 of 
terminating an AC module 190. In particular, the method 500 illustrates the 
operations of a processor 1 10 in response to executing an example EXITAC 
instruction having a protection operand, an events operand, and a launch 
5 operand. However, one skilled in the art should be able to implement other 
terminate AC instructions having fewer, additional, and/or different operands 
without undue experimentation. 

[0063] In block 504, the processor 1 1 0 may clear and/or reconfigure the 
private memory 160 to prevent further access to the AC module 190 stored in the 

10 private memory 160. In an example embodiment of the EXITAC instruction, the 
processor 110 invalidates its cache memory 112 and updates control registers to 
switch the cache memory 112 to the normal cache mode of operation. 
[0064] A terminate AC instruction and/or associated operand may specify 
private memory parameters for different implementations of the private memory 

15 160. (See, for example, FIGS. 1A-1E). Accordingly, a terminate AC instruction 
and/or associated operand may result in the processor 110 performing different 
operations in order to prepare the computing device 100 for post-AC code 
execution. For example, the processor 110 may disable a memory controller (e.g. 
PM controller 128 of FIG. 1E) associated with the private memory 160 to prevent 

20 further access to the AG module 190. The processor 110 may also provide the 
private memory 160 with a clear, reset, and/or invalidate signal to clear the private 
memory 160. Alternatively, the processor 110 may write zeros or some other bit 
pattern to the private memory 160, remove power from the private memory 160, 
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and/or utilize some other mechanism to clear the private memory 160 as specified 
by a terminate AC instruction and/or associated operands. 
[0065] The processor 1 10 in block 506 may update security aspects of the 
computing device 100 based upon the protection operand to support post-AC 
5 code execution. In an example embodiment of the EXITAC instruction, the 
protection operand specifies whether the processor 110 is to close the private 
space 142 or leave the private space 142 in its current state. In response to 
determining to leave the private space 142 in its current state, the processor 110 
proceeds to block 510. Otherwise, the processor 110 closes the private space 
10 142 by writing a ClosePrivate command to a command register 126 to prevent the 
processors 110 from further accessing the registers 126 via normal unprivileged 
read and write transactions to the private space 142. 

[0066] A terminate AC instruction and/or associated operands of another 
embodiment may result in the processor 110 updating other security aspects of 

15 the computing device 100 to support execution of code after the AC module 190. 
For example, a terminate AC instruction and/or associated operands may specify 
that the processor 110 enable and/or disable access to certain computing 
resources such as protected memory regions, protected storage devices, 
protected partitions of storage devices, protected files of storage devices, etc. 

20 [0067] The processor 110 in*block 510 may unlock the processor bus 130 
to enable other processors 110 and the chipset 120 to acquire ownership of the 
processor bus 130. In an example embodiment of the EXITAC instruction, the 
processor 110 releases exclusive ownership of the processor bus 130 by 
generating a special transaction that provides the other processors 110 and the 
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chipset 120 with a LT.PROCESSOR.RELEASE bus message. Other 
embodiments of terminate AC instructions and/or associated operands may 
specify that the processor bus 130 is to remain locked or may specify a different 
manner to unlock the processor bus 130. 

5 [0068] The processor 1 1 0 in block 514 may update events processing 
based upon the mask operand. In example embodiment of the EXITAC 
instruction, the mask operand specifies whether the processor 110 is to enable 
events processing or leave events processing in its current state. In response to 
determining to leave events processing in its current state, the processor 1 10 

10 proceeds to block 516. Otherwise, the processor 110 unmasks the INTR, NMI, 
SMI, INIT, and A20M events to enable processing of such events. Other 
terminate AC instructions and/or associated operands may specify unmasking 
fewer, additional, and/or different events. Further, other terminate AC instructions 
and/or associated operands may explicitly specify the events to be masked and 

15 the events to be unmasked. 

[0069] The processor 1 1 0 in block 516 terminates execution of the AC 
module 190 and launches post-AC code specified by the launch operand. In an 
example embodiment of the EXITAC instruction, the processor 110 updates its 
code segment register and instruction pointer register with a code segment and 

20 segment offset specified by the launch operand. As a result, the processor 1 1 0 
jumps to and begins executing from an execution point of the post-AC code 
specified by the code segment and segment offset. 
[0070] Other terminate AC modules and/or associated operands may 
specify the execution point of the post-AC code in a number of different manners. 
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For example, a launch AC instruction may result in the processor 110 saving the 
current instruction pointer to identify the execution point of post-AC code. In such 
an embodiment, the terminate AC instruction may retrieve the execution point 
saved by the launch AC instruction and initiate execution of the post-AC code 
5 from the retrieved execution point. In this manner, the terminate AC instruction 
returns execution to the instruction following the launch AC instruction. Further, in 
such an embodiment, the AC module 190 appears to have been called, like a 
function call or system call, by the invoking code. 

[0071] Another embodiment of the computing device 100 is shown in FIG. 

10 6. The computing device 100 comprises processors 110, a memory interface 620 
that provides the processors 110 access to a memory space 640, and a media 
interface 170 that provides the processors 110 access to media 180. The 
memory space 640 comprises an address space that may span multiple machine 
readable media from which the processor 110 may execute code such as, for 

15 example, firmware, system memory 140, private memory 160, hard disk storage, 
network storage, etc (See, FIGS. 1 A-1 E). The memory space 640 comprises pre- 
AC code 642, an AC module 190, and post-AC code 646. The pre-AC code 642 
may comprise operating system code, system library code, shared library code, 
application code, firmware routines, BIOS routines, and/or other routines that may 

20 launch execution of an AC module 190. The post-AC cod© 646 may similarly 
comprise operating system code, system library code, shared library code, 
application code, firmware routines, BIOS routines, and/or other routines that may 
be executed after the AC module 190. It should be appreciated that the pre-AC 
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code 642 and the post-AC code 646 may., be the same software and/or firmware 
module or different software and/or firmware modules. 
[0072] An example embodiment of launching and terminating an AC 
module is illustrated in FIG. 7A. In block 704, the computing device 100 stores 

5 the AC module 1 90 into the memory space 640 in response to executing the pre- 
AC code 642. In an example embodiment, the computing device 100 retrieves 
the AC module 190 from a machine readable medium 180 via the media interface 
170 and stores the AC module 190 in the memory space 640. For example, the 
computing device 100 may retrieve the AC module 190 from firmware, a hard 

1 0 drive, system memory, network storage, a file server, a web server, etc and may 
store the retrieved AC module 190 into a system memory 140 of the computing 
device 1 00. 

[0073] The computing device 100 in block 708 loads, authenticates, and 
initiates execution of the AC module 190 in response to executing the pre-AC 

1 5 code 642. For example, the pre-AC code 642 may comprise an ENTERAC 
instruction or another launch AC instruction that results in the computing device 
100 transferring the AC module 190 to private memory 160 of the memory space 
640, authenticating the AC module 190, and invoking execution of the AC module 
190 from its execution point. Alternatively, the pre-AC code 642 may comprise a 

20 series of instructions that result in the computing device 100 transferring the AC 
module 190 to private memory 160 of the memory space 640, authenticating the 
AC module 190, and invoking execution of the AC module 190 from its execution 
point. 
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[0074] In block 712, the computing device 100 executes the code 210 of 
the AC module 190 (See, FIG. 2). The computing device 100 in block 716 
terminates execution of the AC module 190 and initiates execution of the post-AC 
code 646 of the memory space 640. For example, the AC module 1 90 may 
5 comprise an EXITAC instruction or another terminate AC instruction that results in 
the computing device 100 terminating execution of the AC module 190, updating 
security aspects of the computing device 100, and initiating execution of the post- 
AC code 646 from an execution point of the post-AC code 646. Alternatively, the 
AC module 190 may comprise a series of instructions that result in the computing 
10 device 1 00 terminating execution of the AC module 190 and initiating execution of 
the post-ACTcode 646 from an execution point of the post-AC code 646. 
[0075] Another example embodiment of launching and terminating an AC 
module is illustrated in FIG. 7B. In block 740, the computing device 1 00 stores 
the AC module 190 into the memory space 640 in response to executing the pre- 
15 AC code 642. In an example embodiment, the computing device 100 retrieves 
the AC module 190 from a machine readable medium 180 via the media interface 
170 and stores the AC module 190 in the memory space 640. For example, the 
computing device 100 may retrieve the AC module 190 from firmware, a hard 
drive, system memory, network storage, a file server, a web server, etc and stores 
20 the retrieved AC module 190 into a system memory 140 of the computing device^ 
100. 

[0076] The computing device 100 in block 744 loads, authenticates, and 
initiates execution of the AC module 1 90 response to executing the pre-AC code 
642. The computing device in block 744 further saves an execution point for the 
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post-AC code 646 that is based upon the instruction pointer. For example, the 
pre-AC code 642 may comprise an ENTERAC instruction or another launch AC 
instruction that results in the computing device 100 transferring the AC module 
190 to private memory 160 of the memory space 640, authenticating the AC 

5 module 190, invoking execution of the AC module 190 from its execution point, 
and saving the instruction pointer so that the processor 1 1 0 may return to the 
instruction following the launch AC instruction after executing the AC module 190. 
Alternatively, the pre-AC code 642 may comprise a series of instructions that 
result in the computing device 100 transferring the AC module 190 to private 

10 memory 160 of the memory space 640, authenticating the AC module 190, 

invoking execution of the AC module 190 from its execution point, and saving the 
instruction pointer. - 

[0077] In block 748, the computing device 100 executes the code 210 of 
the AC module 190 (See, FIG. 2). The computing device 100 in block 752 

15 terminates execution of the AC module 190, loads the instruction pointer based 
execution point saved in block 744, and initiates execution of the instruction 
following the launch AC instruction or the series of instructions executed in block 
744. For example, the AC module 190 may comprise an EXITAC instruction or 
another terminate AC instruction that results in the computing device 100 

20 terminating execution of the AC module 190, updating security aspects of the 
computing device 100, and initiating execution of the post-AC code 646 from an 
execution point of the post-AC code 646 specified by the instruction pointer saved 
in block 744. Alternatively, the AC module 190 may comprise a series of 
instructions that result in the computing device 100 terminating execution of the 
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AC module 190, updating security aspects of the computing device 100, and 

initiating execution of the post-AC code 646 from an execution point of the post- 

AC code 646 specified by the instruction pointer saved in block 744, 

[0078] FIG. 8 illustrates various design representations or formats for 
5 simulation, emulation, and fabrication of a design using the disclosed techniques. 

Data representing a design may represent the design in a number of manners. 

First, as is useful in simulations, the hardware may be represented using a 

hardware description language or another functional description language which 

essentially provides a computerized model of how the designed hardware is 
10 expected to perform. The hardware model 810 may be stored in a storage 

medium 800 such as a computermemory so that the model may be simulated 

using simulation software 820 that applies a particular test suite 830 to the 

hardware model 810 to determine if it indeed functions as intended. In some 

embodiments, the simulation software is not recorded, captured, or contained in 
15 the medium. 

[0079] Additionally, a circuit level model with logic and/or transistor gates 
may be produced at some stages of the design process. This model may be 
similarly simulated, sometimes by dedicated hardware simulators that form the 
model using programmable logic. This type of simulation, taken a degree further, 
20 may be an emulation technique. In any case, re-configurable hardware is another ^ 
embodiment that may involve a machine readable medium storing a model 
employing the disclosed techniques. 

[0080] Furthermore, most designs, at some stage, reach a level of data 
representing the physical placement of various devices in the hardware model. In 
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the case where conventional semiconductor fabrication techniques are used, the 
data representing the hardware model may be the data specifying the presence 
or absence of various features on different mask layers for masks used to 
produce the integrated circuit. Again, this data representing the integrated circuit 
5 embodies the techniques disclosed in that the circuitry or logic in the data can be 
simulated or fabricated to perform these techniques. 

[0081] In any representation of the design, the data may be stored in any 
form of a computer readable medium. An optical or electrical wave 860 
modulated or otherwise generated to transmit such information, a memory 850, or 

10 a magnetic or optical storage 840 such as a disc may be the medium. The set of 
bits describing the design or the particular partof the design are an article that 
may be sold in and of itself or used by others for further design or fabrication. 
[0082] While certain exemplary embodiments have been described and 
shown in the accompanying drawings, it is to be understood that such 

15 embodiments are merely illustrative of and not restrictive on the broad invention, 
and that this invention not be limited to the specific constructions and 
arrangements shown and described, since various other modifications may occur 
to those ordinarily skilled in the art upon studying this disclosure. 



20 



32 



BNSOOCII) <WO_03058412A2J_> 



WO 03/(158412 



PCT/US02/41177 



What is claimed is: 

1. A method comprising 

transferring an authenticated code module to a private memory; and 
executing the authenticated code module stored in the private memory in 
5 response to determining that the authenticated code module stored in the private 
memory is authentic. 

2. The method of claim 1 further wherein transferring comprises transferring a 
number of bytes specified by an operand from a memory. 

10 

3. The method of claim 1 further comprising 

configuring a cache memory of the processor to operate like a random 
access memory, 

wherein transferring comprises storing the authenticated code module in 
15 the cache memory. 

4. The method of claim 3 further comprising invalidating the cache memory prior 
to storing the authenticated code module in the cache memory. 

20 5. The method of claim 3 further comprising locking the cache memory to prevent 
lines of authenticated code module from being replaced. 
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6. The method of claim 1 further comprising determining whether the 
authenticated code is authentic based upon a digital signature of the 
authenticated code module. 

5 7. The method of claim 1 further comprising 

obtaining a first value from the authenticated code module stored in the 

private memory; 

computing a second value from the authenticated code module; and 
determining that the authenticated code module is authentic in response to 
10 the first value and the second value having a predetermined relationship. 

8. The method of claim 1 further comprising 
retrieving a key, 

decrypting a digital signature of the authenticated code module with the 
1 5 key to obtain a first value, 

hashing the authenticated code module to obtain a second value; and 
executing the authenticated code module in response to the first value and 
the second value having a predetermined relationship. 

20 9. The method of claim 8 wherein 

decrypting comprises using the key to RSA-decrypt the digital signature, 

and 

hashing comprises apply a SHA-1 hash to the authenticated code module 
to obtain the second value. 
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10, The method of claim' 8 further comprising retrieving the key from the 
processor. 

5 1 1 . The method of claim 8 further comprising retrieving the key from a chipset. 

12. The method of claim 8 further comprising retrieving the key form a token. 

13. The method of claim 1 wherein transferring comprises receiving the 
10 authenticated code module from a machine readable medium. 



14. A computing device, comprising 

a chipset; 

a memory coupled to the chipset; 
15 a machine readable medium interface to receive an authenticated code 

module from a machine readable medium; 

a private memory coupled to the chipset; and 

a processor to transfer the authenticated code module from the machine 
readable medium interface to the private memory and to authenticate the 
20 authenticated code module stored in the private memory. 

1 5. The computing device of claim 14, wherein the chipset comprises a memory 
controller coupled to the memory and a separate private memory controller 
coupled to the private memory. 
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16. The computing device of claim 14, wherein 

the chipset comprises a key, and 

the processor authenticates the authenticated code module stored in the 
5 private memory based upon the key of the chipset 

17. The computing device of claim 14, wherein 

the processor comprises a key and authenticates the authenticated code 
module stored in the private memory based upon the key of the processor. 

10 

18. The computing device of claim 14, further comprising 

a token coupled to the chipset, the token comprising a key, wherein 
the processor authenticates the authenticated code module stored in the 
private memory based upon the key of the token. 

15 

19. A computing device, comprising 

a chipset; 

a machine readable medium interface to receive an authenticated code 
module from a machine readable medium; and 
20 a processor coupled to the chipset via a processor bus, the processor to 

transfer the authenticated code module from the machine readable medium 
interface to a private memory of the processor and to authenticate the 
authenticated code module stored in the private memory. 
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20. The computing device of claim 19, wherein the private memory is coupled to 
the processor via a dedicated bus. 



21. The computing device of claim 19. wherein the private memory is internal to 
5 the processor. 

22. The computing device of claim 1 9, wherein the private memory comprises 
internal cache memory of the processor. 

10 23. The computing device of claim 19 f further comprises 

other processors coupled to the chipset via the processor bus, wherein 
the processor further locks the processor bus to prevent the other 
processors from altering the authenticated code module. 

24. A computing device, comprising 
a memory; 

a chipset comprising a memory control that defines a portion of the 
memory as private memory; 

a machine readable medium to receive an authenticated code module from 
a machine readable medium; and 

a processor to transfer the authenticated code module from the machine 
readable medium interface to the private memory and to authenticate the 
authenticated code module stored in the private memory. 
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25. The computing device of claim 24, wherein the chipset comprises a memory 
controller coupled to the memory and a separate private memory controller 
coupled to the private memory. 

5 26. The computing device of claim 24, wherein 
the chipset comprises a key, and 

the processor authenticates the authenticated code module stored in the 
private memory based upon the key of the chipset. 

10 27. The computing device of claim 24, wherein 

the processor comprises a key and authenticates the authenticated code 
module stored irTthe private memory based upon the key of the processor. 

28. The computing device of claim 24, further comprising 
15 a token comprising a key, wherein 

the processor authenticates the authenticated code module stored in the 
private memory based upon the key of the token. 

29. A machine readable medium comprising one or more instructions that in 
^ 20 response to being executed result in a computing device 

transferring an authenticated code module to a private memory associated 
with a processor; and 
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executing the authenticated code module stored in the private memory in 
response to determining that the authenticated code module stored in the private 
memory is authentic. 

5 30. The machine readable medium of claim 29, wherein the one or more 
instructions in response to being executed result in the computing device 

determining whether the authenticated code is authentic based upon a 
digital signature of the authenticated code module. 

10 31 . The machine readable medium of claim 29, wherein the one or more 
instructions in response to being executed result in the computing device 

obtaining a first valueVom the authenticated code module stored in the 
private memory; 

computing a second value from the authenticated code module; and 
1 5 determining that the authenticated code module is authentic in response to 

the first value and the second value having a predetermined relationship. 

32. The machine readable medium of claim 29, wherein the one or more 
instructions in response to being executed result in the computing device 
20 retrieving an asymmetric key; 

decrypting a digital signature of the authenticated code module with the 
asymmetric key to obtain a first value; 

hashing the authenticated code module to obtain a second value; and 
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initiating execution of the authenticated code module in response to the 
first value and the second value having a predetermined relationship. 

33. The machine readable medium of claim 29, wherein the one or more 

5 instructions comprises a launch instruction that in response to being executed 
results in the computing device 

retrieving an asymmetric key; 

decrypting a digital signature of the authenticated code module with the 
asymmetric key to obtain a first value; 
10 hashing the authenticated code module to obtain a second value; and 

initiating execution of the authenticated code module in response to the 
first value and the second value having a predetermined relationship. 

34. The machine readable medium of claim 33, wherein the one or more 
1 5 instructions in response to being executed result in the computing device 

receiving the authenticated code module via a machine readable medium 
interface. 
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